MarkLogic Server 11.0 Product Documentation
sec:create-role

sec:create-role(
   $role-name as xs:string,
   $description as xs:string?,
   $role-names as xs:string*,
   $permissions as element(sec:permission)*,
   $collections as xs:string*,
   [$compartment as xs:string?],
   [$external-names as xs:string*],
   [$queries as map:map]
) as xs:unsignedLong

Summary

Creates a new role in the system database for the context database.

If $role-name is not unique, an error is returned.

If one of the $role-names does not identify a role, an error is returned.

If the current user is limited to granting only his/her roles, and $role-names is not a subset of the current user's roles, then an error is returned.

Returns the role-id.

Parameters
role-name The name of the role to be created.
description A description of the role to be created.
role-names A sequence of role names to which the role is assigned.
permissions The default permissions for the role.
collections The default collections for the role.
compartment The compartment to assign to the role.
external-names The external names for the role. Or an empty sequence, if no external names are used.
queries A map from capabilities (read, update, node-update, and execute) to cts queries of the role.

Required Privileges

http://marklogic.com/xdmp/privileges/create-role or create-data-role
and for role assignment:
http://marklogic.com/xdmp/privileges/grant-all-roles or
http://marklogic.com/xdmp/privileges/grant-my-roles
and, for creating roles with queries:
http://marklogic.com/xdmp/privileges/role-set-queries

Usage Notes

This function must be executed against the security database.

Example


(: execute this against the security database. :)
xquery version "1.0-ml";
import module namespace sec="http://marklogic.com/xdmp/security" at 
    "/MarkLogic/security.xqy";

sec:create-role(
    "Temporary",
    "Temporary worker access",
    ("filesystem-access"),
    (),
    ("testDocument"))
   
(: Creates a new role, named "Temporary," with the default collection, 
   named testDocument. :)  
  

Example


(: execute this against the security database. :)
xquery version "1.0-ml";
import module namespace sec="http://marklogic.com/xdmp/security" at 
  "/MarkLogic/security.xqy";

sec:create-role(
  "region-NA", 
  "Can see NA documents.",
  (), (), (), "compartment-region", (), 
  map:map()=>map:with(
    "read", 
    cts:element-query(xs:QName("metadata"), 
      cts:element-word-query(xs:QName("region"), "NA")))
  ) 

(: Creates a new role, named "region-NA", and with compartment 
   "compartment-region". "region-NA" has role queries which allow any users with 
   this role to read documents that have "region-NA" in the metadata. :)   
  
Powered by MarkLogic Server | Terms of Use | Privacy Policy